Cyberattack: The Possibilities Emergency Managers Need to Consider

Emergency managers are increasingly concerned about cyberattacks on 911 and other public safety systems.

Emergency planners routinely think about the outside world: What if that building fell to a natural disaster or man-made attack, or that neighborhood flooded? What if hackers disabled that water plant or took out the power grid?

Now turn that same question inward. What if they struck against you?

Consider cybercrime, one of the fastest-growing forms of social malice. Victims in the news typically include banks, online commerce and political targets. But hackers have taken aim against government institutions as well, and it’s not a far leap from there to imagine an attack against first responders themselves. It’s no sci-fi scenario to posit an attack against a 911 system, an emergency response center or police resources.

In fact, the threat is very real, and today’s emergency managers are tasked with ensuring not just that their systems are rock-solid, but also that their response plans are in place.

The Ohio Emergency Management Agency gives credence to the possibility that its own systems could someday come under cyberattack. The agency actively plans for such an incursion and thinks hard about remediation, said spokesperson Tamara McBride.

Like this story? If so, subscribe to Emergency Management’s weekly newsletter.

“We’re sitting down with our cyberworkgroup and discussing just that question. We’re very focused on the consequences of those threats,” she said. Suppose the department’s own communications systems were sabotaged, leaving no ready route to connect with citizens. “Do we go door to door? Do we go up the street with a bullhorn or reach out to ham radio volunteers? Those are all the things that are on the table.”

Protecting 911 Systems

For cybercriminals, 911 presents a tempting target: A single portal through which considerable destruction could be wrought. Emergency managers can take steps to mitigate the severity, should an event occur, said Jay English, director of Communications Center and 911 Services at APCO International.

“Contact your local phone provider and find out who your dedicated contact is for emergency and nonemergency lines serving your facilities. Find out in advance what you are supposed to do in case of some kind of attack.”

Emergency managers need to communicate with their 911 systems vendors. In case of a cyberevent, the vendor will need to know certain things: What trunks are being hit? From where do denial-of-service calls appear to be originating? Ask in advance what information will be needed.

Know your federal friends, in this case the FBI portal www.ic3.gov, where cybercrime victims can file complaints. Identify your attack as related to public safety telephony or data centers, and you’ll be bumped into the care of a special agent versed in such matters.

Maybe the bullhorn sounds excessive, but a range of experts say it would be hard to be too prepared for an attack that went to the core of emergency operations.

First of all, let’s admit there’s a threat. Starting at the top of the pyramid, the number of significant cybersecurity events against the U.S. government increased 680 percent over a five-year period, from 5,503 in 2006 to 42,887 in 2011, according to the U.S. Government Accountability Office.

So there’s clearly vulnerability within government. But does that trickle down to the state and local levels, specifically to emergency operations?

In Spartanburg County, S.C., a recent cyberattack flooded nonemergency phone lines, pushing calls over onto the 911 system, potentially jamming the emergency system and slowing dispatchers’ ability to respond to crisis calls.

Indianapolis Public Safety Director Troy Riggs paints an even grimmer picture. Speaking with local reporters after a forum on cybercrime, he offered a scenario in which an attack on first responder systems coincided with a terror attack. Essentially the idea is to detonate a bomb, then flood 911 call systems or cripple essential computers to stop responders from heading to the scene. It’s a techno-driven version of a common terror scenario in which a second bomb goes off just as ambulances arrive to treat the victims of a first explosion.

Such a scenario is not beyond the imagination. If a physical attack is possible, and a cyberattack is plausible, it would take little creativity to coordinate the two events, punching a hole in the center of response efforts.

Why is this possible? Ironically the steady improvements in emergency communication also have made those systems more vulnerable to attack. In short, it’s all about the Internet.

It starts with connectivity, with shared infrastructure controls, with intranet components and phone systems all increasingly routed through the Internet. “Everything these days is built out of Web technologies, even systems you would not expect to be connected to the Internet,” said Shuman Ghosemajumder, vice president of strategy at Shape Security in Mountain View, Calif.

Connectivity in turn creates ubiquity. Suddenly all our information assets are available through our physical assets: police cars with video recorders and fire trucks with their own Wi-Fi access points. “We have a lot of IT moving around in incident response,” said J.R. Cunningham, director of the state, local and education practice at security program provider Accuvant.

The company has successfully poked holes in that IT, for testing purposes, and Cunningham has concerns about the fundamental stability of the IT components that underlie emergency service systems. “These systems were not designed to be highly secure,” he said. “Generally they’ve evolved over time, with security often brought in as an afterthought.”

While the risk runs through any Internet-connected system, the threat may be particularly visible in the realm of 911. Where news coverage looks at cyberattacks on institutional networks, it often overlooks the threat to telephony, and yet that threat looms large in the emergency management world, where phone systems often are the link in the chain of incidence response.

“As our 911 centers move into a more fully digital world, those 911 centers are going to be vulnerable to those same attacks that have been plaguing other networks, whether they are financial or commercial,” said Neal Puff, senior security solutions architect for the public sector at Verizon Terremark.